Re: [PATCH] x86: Lock down MSR writing in secure boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2013-02-12 at 16:48 -0800, H. Peter Anvin wrote:

> OK... what none of this gets into:
> 
> Why should CAP_RAWIO be allowed on a secure boot system, when there are
> 2^n known ways of compromise a system with CAP_RAWIO?

CAP_SYS_RAWIO seems to have ended up being a catchall of "Maybe someone
who isn't entirely root should be able to do this", and not everything
it covers is equivalent to being able to compromise the running kernel.
I wouldn't argue with the idea that maybe we should just reappraise most
of the current uses of CAP_SYS_RAWIO, but removing capability checks
from places that currently have them seems like an invitation for
userspace breakage.
��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥



[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux